Divisional Risk Assessment
The purpose of a Divisional Risk Assessment carried out by ISEA is to provide a high-level qualitative and quantitative review of the people, processes and technology and the handling of confidential information to determine the current risk posture within a division. The assessment is not a comprehensive evaluation, but it does identify the high-level risks and provide guidance on the prioritization and remediation of these risks, to help the division reduce its risk posture to an acceptable level.
A Divisional Risk Assessment will be based on the six-phased approach adopted in other successfully completed assessments:
Survey > Inventory > Connect > Classify > Analyze > Assess
The following will be out of scope.
- Financial Controls
- Physical Security Controls
The process starts with a series of interviews of key people, such as those in the following or similar positions, or someone they designate:
- Chief Administrative Officer
- IT Manager
- IT Staff
- Technology support
- Academic Leadership, as needed
- Administrative staff, as needed
- External suppliers of services (firewall, backups, classroom management)
In general, all interviews will take place with the IT manager present.
In more detail, these are the steps planned for a Divisional Risk Assessment.
The survey step is the scoping exercise. In this step we want to identify:
- Internal departments
- IT systems / services / processes
- Broad usages
- Division-wide governance / compliance requirements (such as FIPPA and divisional specific requirements (external and internal))
- Key sources of data
- Any existing data, such as system analyses by ISEA, to inform this process
The survey will provide an organization chart on which to overlay major information systems / data repositories, data flows and academic/administrative processes, and provide a high level view of controls / risk management processes.
Inventory (Asset / Process)
In this step we confirm and amplify responses from the above Survey step by identifying components (data, actors, and constraints):
- Data repositories / systems (locations, ownership, custodianship and support for business functions / objectives)
- Departments / groups / roles
- Governance / compliance requirements (legislation, regulations, and contractual obligations)
Based on the above Inventory, in this step we identify links – formal and informal – that connect
- Data / process / procedure interactions (data flows)
- External data sources / destinations (integration with University systems) – upstream and downstream dependencies
- Internal / external services
In this step we will create data classifications based on:
- Impact of disclosure, alteration, loss and compromise (lack of accountability)
- Point of origin for / destination of data
Classifications are in the context of governance / compliance requirements and organizational objectives (builds on data collected in the Inventory phase).
Analyze the situation
We will provide an understanding of environment controls as they relate to the connections identified in the Connect step in context of the following:
- Identity Management
- Access and Change controls
- Encryption and Network Isolation
- Service Continuity
- Monitoring and Reporting
- Risk Analysis
- Architectural Alignment
- Data Governance Compliance
Assess the Risks
In this step we will perform Risk and Strategic Integration Assessments comparing the controls or lack thereof from the Analysis step to requirements to protect the data as prioritized through the classification step, thereby assessing the risk exposure of the division.
Our deliverable will be a report and a spreadsheet that will contain all of the above work, highlight and provide suggested remediation for the following concerns, if any:
- Groups and / or data outside of identified compliance requirements (This indicates an absence of governance, or lack of control)
- Groups and / or data without access /change / reporting controls (This is a technical assessment indicating risk exposure. E.g. the possibility of data / system misuse resulting in a business impact.)
- Gaps in data flow connections. (An example would be repositories of data with no connections. Identification allows operational architecture optimization.)
- Gaps in provision of Information services. (An example would be a technologist to aid lecture capture)
- Identification of duplication of data repositories and services. (An example would be people collecting the same data in different places, or use of multiple applications for similar services. Identification allows operational architecture optimization)
- Self-provision of centrally available services. (Identification of services that are currently available from the center that the division is not currently availing themselves of. The division could then choose to leverage these core services in order to free time for local resources to contribute to unit-differentiating activities).
A divisional risk analysis will take up to three months to complete, and is dependent on the availability of personnel within the division as well as those within ISEA.